Updated: 2009-04-09

Lightweight Directory Access Protocol (LDAP) is an Internet protocol that software programs can use to query directory services so users can easily find other e-mail users on the Internet or corporate intranet. Microsoft Exchange Server supports LDAP queries, enabling users to look up address information on the server. LDAP can also be used to search a number of global directories on the Internet, such as Yahoo!

Enhanced LDAP support in Microsoft Office Outlook 2007 includes the ability to disable certain searches (directory browsing) by default and the option to create customized filters. You can configure LDAP search behavior by using the Office Customization Tool (OCT) or a Group Policy setting. When you define custom filters, you can provide the filters to users by setting registry keys or by using an Outlook Profile (PRF) file.

Configuring LDAP directory browsing

By default, Office Outlook 2007 directory browsing or Virtual List View (VLV) searches for LDAP are disabled, and users can enable the feature.

Disabling directory browsing

You can prevent users from using directory browsing by configuring a setting in Group Policy.

You can lock down the setting to enforce disabling directory browsing by using the Outlook Group Policy template (Outlk12.adm). Or you can configure default settings by using the Office Customization Tool, in which case users can change the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

The Outlook template and other ADM files can be downloaded from 2007 Office System Administrative Templates (ADM) on the Microsoft Download Center.

To disallow enabling directory browsing for LDAP by using Group Policy

  1. In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).

  2. To customize how results are displayed, under User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Miscellaneous, double-click Turn on VLV Browsing on LDAP servers.

  3. Click Disabled.

  4. Click OK.

More information about LDAP directory browsing

In Outlook 2003, directory browsing was enabled by default. However, users must work with small LDAP directories when using directory browsing. A new registry key was provided with Outlook 2003 Service Pack 2 to allow VLV searches to be disabled. Office Outlook 2007 uses the same registry keys to regulate this feature. If your environment uses small LDAP directories and requires directory browsing, you can enable the feature by configuring the option in the Office Customization Tool or by setting the registry key (to make it a default option), or by using Group Policy (to enable and lock down the setting).

If you do not lock down the setting, users can enable or disable the option by using the check box on the Search tab of the Microsoft LDAP Directory dialog box in Outlook.

The existing registry key that managed this LDAP setting in earlier versions of Outlook continues to override server-specific settings that users choose. The registry key is:

  CopyCode imageCopy Code
HKCU\Software\Microsoft\Office\12.0\Outlook\LDAP\DisableVLVBrowsing

If this registry key is set to 0, the check box is cleared and dimmed so that users cannot modify it.

If this registry key is set to 1, the check box is selected and dimmed so that users cannot modify it.

Default and customized check names filters

Outlook uses the following default LDAP filters if you do not provide a custom check names filter. You can define a custom filter—search base—that describes the specific query for checking names and returning a list of matching entries from the LDAP directory.

Default LDAP filters

Outlook uses a default filter if the registry key for setting a custom check names filter is empty. The default filter used depends on two criteria:

  • Is Active Directory server used?

  • Is a browse list display requested or is an e-mail name queried?

If the user requests a browse list, the results include items that are not e-mail addresses, such as printers.

The following are the default filters for each scenario:

  • For queries using an Active Directory server, where a user queries an e-mail name:

    (&(mail=*)(|(mail=%s*)(cn=%s*)(sn=%s*)(givenName=%s*)(displayName=%s*))

    By including the (mail=*) value, the e-mail name is required by this filter.

  • For queries using an Active Directory server, where a browse list is displayed (which can include items that are not e-mail names):

    (&(|(mail=%s*)(cn=%s*)(sn=%s*)(givenName=%s*)(displayName=%s*)))

  • For queries using any other server (not Active Directory), with an e-mail name query:

    (&(mail=*)(|(mail=%s*)(cn=%s*)(sn=%s*)(givenName=%s*))

  • For queries using any other server (not Active Directory), with the browse list displayed:

    (&(|(mail=%s*)(cn=%s*)(sn=%s*)(givenName=%s*)))

Defining customized LDAP filters

You can provide a custom LDAP filter so that users can query additional information you provide on your LDAP server. You can define a custom filter by using an Outlook Profile (PRF) file, or you can write the custom filter string directly into the Outlook profile in the registry.

For example, you might have a CustomerID property, which is not included in the default filter. You could define the following LDAP custom filter to allow users to search on the CustomerID property:

  CopyCode imageCopy Code
(&(mail=*)(|(mail=%s*)(displayName=%s*)(customerID=%s*)
NoteNote:

The LDAP Request For Comments (RFC) defines the format for creating search filter strings. For more information about constructing LDAP filters, see LDAP Request For Comments (RFC).

You can also set a blank search base by creating a blank filter. This is useful when you want LDAP to use the default filter specified in the RootDSE. You create a blank filter by clearing the registry entry or by setting the CheckNames property to "" in the Outlook Profile (PRF) file.

Define a custom filter by using a PRF file

  1. In a text editor (such as Notepad), open the PRF file. You can use the Office Customization Tool to create a default PRF file to edit. For more information, see Outlook in Office Customization Tool in the 2007 Office system.

  2. In Section 4 (which contains the default values for each service), enter CheckNames= as a new property and type the custom search filter as the value. For example, enter the following:

    &(mail=*)(|(mail=%s*)(displayName=%s*)(customerID=%s*)

  3. In Section 6 (which contains the mapping values for profile properties), define the CheckNames property. In the [LDAP Directory] section, enter the following new entry:

    CheckNames=PT_STRING8,0x6624

  4. Save the file.

You can then deploy the PRF file to your users. For more information, see Apply an Outlook Profile (PRF) File to configure Outlook profiles.

You can also configure other LDAP options by using a customized PRF file. See Example: Defining LDAP options in a custom PRF file later in this topic.

Define a custom filter by using the registry

  1. Start the registry editor, and then search for the registry key 001e6604.

  2. Define a new LDAP search string as the registry key value, or replace the existing value.

  3. Exit the registry editor.

In addition to using a custom filter for an e-mail name query, Outlook might use the same filter in a converted form for a browse list query. Outlook uses the custom filter in a converted form when the Enable Browsing check box is selected in the Search tab in the Microsoft LDAP Directory dialog box in Outlook. If you enable the browsing feature, or allow it to be enabled by users, you can help prevent search errors for users by testing the filter for both querying e-mail names and for bringing up a browse list.

Mapping server LDAP properties to Outlook MAPI properties

When you configure custom filters, it can be helpful to know the MAPI property names that correspond to the LDAP display names.

MAPI property name

MAPI ID

LDAP display name

PR_USER_CERTIFICATE

3a22

usercert

PR_BUSINESS_TELEPHONE_NUMBER_A

3a08

telephonenumber

PR_GIVEN_NAME_A

3a06

givenName

PR_INITIALS_A

3a0a

initials

PR_STREET_ADDRESS_A

3a29

streetAddress

PR_LOCALITY_A

3a27

l

PR_STATE_OR_PROVINCE_A

3a28

st

PR_POSTAL_CODE_A

3a2a

postalCode

PR_COUNTRY_A

3a26

co

PR_TITLE_A

3a17

title

PR_COMPANY_NAME_A

3a16

company

PR_ASSISTANT_A

3a30

msExchAssistantName

PR_DEPARTMENT_NAME_A

3a18

department

PR_BUSINESS_TELEPHONE_NUMBER_A

3a08

telephoneNumber

PR_HOME_TELEPHONE_NUMBER_A

3a09

homePhone

PR_BUSINESS2_TELEPHONE_NUMBER_A

3a1b

otherTelephone

PR_HOME2_TELEPHONE_NUMBER_A

3a2f

otherHomePhone

PR_PRIMARY_FAX_NUMBER_A

3a23

facsimileTelephoneNumber

PR_MOBILE_TELEPHONE_NUMBER_A

3a1c

mobile

PR_ASSISTANT_TELEPHONE_NUMBER_A

3a2e

telephoneAssistant

PR_PAGER_TELEPHONE_NUMBER_A

3a21

pager

PR_COMMENT_A

3004

info

PR_EMS_AB_PROXY_ADDRESSES

800f

proxyAddresses

PR_USER_X509_CERTIFICATE

3a70

userSMIMECertificate

PR_EMS_AB_X509_CERT

8c6a

userCertificate

Example: Defining LDAP options in a custom PRF file

You can customize a PRF file to include LDAP options, such as defining a custom names filter or enabling browse list capability. Here is a sample PRF file with several LDAP options configured.

Office Customization Tool;

**************************************************************

; Section 1 - Profile Defaults

;**************************************************************

[General] Custom=1

DefaultProfile=Yes

OverwriteProfile=Append

ModifyDefaultProfileIfPresent=TRUE

;**************************************************************

; Section 2 - Services in Profile

;**************************************************************

[Service List]

Service1=LDAP Directory

;***************************************************************

; Section 4 - Default values for each service.

;***************************************************************

[Service1]

UniqueService=No

ServerName=ldap.boeing.com

DisplayName=BoeingCorporate

ConnectionPort=389

UseSSL=FALSE

UseSPA=FALSE

EnableBrowsing=1

UserName=

SearchBase=

SearchTimeout=60

MaxEntriesReturned=100

;This is where the value is defined CheckNames=(&(mail=*)(!(mail=%s*)(customerID=%s*)))

;This specifies whether the Custom search base Boolean flag is set

DefaultSearch=1

;***************************************************************

; Section 6 - Mapping for profile properties ;*************************************************************** [LDAP Directory]

ServiceName=EMABLT

ServerName=PT_STRING8,0x6600

UserName=PT_STRING8,0x6602

UseSSL=PT_BOOLEAN,0x6613

UseSPA=PT_BOOLEAN,0x6615

DisplayName=PT_STRING8,0x3001

ConnectionPort=PT_STRING8,0x6601

SearchTimeout=PT_STRING8,0x6607

MaxEntriesReturned=PT_STRING8,0x6608

EnableBrowsing=PT_BOOLEAN, 0x6622

SearchBase=PT_STRING8,0x6603

CheckNames=PT_STRING8,0x6624

DefaultSearch=PT_LONG, 0x6623

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Office Resource Kit information.

See Also